Endpoint Protection

Phishing scam targets TurboTax users to steal refund payments 

02-12-2015 11:42 AM

turbotax-scam-image.jpg

TurboTax, the most popular online tax preparation software, halted state e-filing from February 5 to February 6 due to an increase in suspicious activity. The service was suspended because stolen account credentials were used to file fake state tax returns. Scammers have been masquerading as TurboTax in an attempt to phish account credentials of TurboTax users.

TurboTax Identity Service
fake_turbotax_email.png
Figure 1. Fake ‘TurboTax Identity Service’ email

The email begins with “Dear TurboTax User,” a common red flag that the email did not originate from TurboTax, as legitimate emails would address the user by their name. From there, the email gets straight to the point by asking the recipient to verify their identity to ensure uninterrupted service and prevent illegal activity. It provides instructions on how to do so, specifying that they need a modern browser with JavaScript enabled.

HTML attachment
The email contains an “attached form,” an HTML attachment that borrows source code and elements from the real TurboTax website. Last month, we noticed a LinkedIn phishing scam using this exact tactic.

turbotax_local_html_login.png
Figure 2. Fake TurboTax page

When reviewing the attachment, we noticed that parts of the page, such as the header and footer sections, did not render correctly. However, the body of the HTML file is stylistically identical to the real TurboTax website.

When a user logs into a website, the only two pieces of information that they typically need to provide are their user ID and password. In this case, the scammers have added additional fields for the recipients’ email address and email password, as well as their security question and answer.

If the recipient were to submit this information in order to sign in, all of it would be sent off to the scammers.

turbotax_view_source_html_blurred.png
Figure 3: Source code of TurboTax.htm file

The scammers would now possess the victim’s TurboTax and email login credentials and would know their security question and answer. With all of this information, the attacker could login to the victim’s TurboTax account, email account, and potentially lock the recipient out of both.

Tips when filing your taxes online
Filing your taxes online is intended to be convenient. Unfortunately, scammers know that many users prefer to file online and will experiment with ways to steal login credentials to services like TurboTax.

When preparing to file your taxes, keep the following tips in mind:

  1. Be skeptical of unexpected and unprompted email communications. If you didn’t ask for it, then it is likely a scam.
  2. Never download and open attachments claiming to be a “secure” way to login and verify your identity. This method is intended to bypass anti-phishing features in most modern browsers.
  3. When in doubt, don’t click on a link in an email. Instead, open up a new browser window or tab and login directly.

Symantec reached out to Intuit for comment and they requested that suspicious emails using the TurboTax brand be sent to the following email address:

  • spoof@intuit.com 

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Related Entries and Links

No Related Resource entered.